Facebook Doubles Down On Misusing Your Phone Number

Facebook Doubles Down On Misusing Your Phone Number

When we publicly demanded that Facebook stop messing with users’ phone numbers last week, we weren’t expecting the social network to double down quite like this: By default, anyone can use the phone number that a user provides for two-factor authentication (2FA) to find that user’s profile. For people who need 2FA to protect their account and stay safe, Facebook is forcing them into unnecessarily choosing between security and privacy.

While settings are available to choose whether “everyone,” “friends of friends,” or “friends” can use your phone number this way, there is no way to opt out completely.

The problems with Facebook’s phone number look-up feature are not entirely new. Facebook even promised to disable the functionality last April in the wake of the Cambridge Analytica scandal. Now, others can no longer enter your phone number directly into the Facebook search bar to find your profile. Instead, they can still use your phone number “in other ways, such as when someone uploads your contact info to Facebook from their mobile phone,” a Facebook spokesperson told USA Today. Those "other ways" are what the settings shown above control. But whether they have to type it into Facebook’s search bar or into their phone contacts, the result is the same: others can use your phone number to find your Facebook profile.

Now, since Facebook started requiring page administrators to enable 2FA last summer, it’s safe to assume that more people have started using the security feature and noticing how Facebook mismanages it. (Although Facebook stopped requiring phone numbers for 2FA enrollment last May, phone number-based 2FA can still be the most usable option for many people.)

In response to a tweet from a Page administrator pointing out this critical problem, Facebook has been forced to respond to user concerns and media reports. Facebook’s response has been less than reassuring. TechCrunch reports:

When asked specifically if Facebook will allow users to users to opt-out of the setting, Facebook said it won’t comment on future plans. And, asked why it was set to “everyone” by default, Facebook said the feature makes it easier to find people you know but aren’t yet friends with.

Now, the scope of Facebook’s phone number problem seems even wider. In defiance of user expectations and security best practices, it is exposing users’ 2FA phone numbers not only to advertisers but also to, well, anyone. Facebook must fix this before more people are put at risk. It should never have made phone numbers that were provided for security searchable by everyone in the first place.

When social media platforms enforce their content moderation rules unfairly, it affects everyone’s ability to speak out online. Unfair and inconsistent online censorship magnifies existing power imbalances, giving people who already have the least power in society fewer places where they are allowed a voice online.President Donald Trump...

It has taken more than a year, but the California Attorney General’s Office has implemented steps to protect immigrants from U.S. Immigration and Customs Enforcement (ICE) and other agencies that abuse the state’s public safety network, the California Law Enforcement Telecommunications System (CLETS). Following calls for reform from EFF and...

Over the next few years, the Department of Homeland Security (DHS) plans to implement an enormous biometric collection program which will endanger the rights of citizens and foreigners alike. The agency intends to collect at least seven types of biometric identifiers, including face and voice data, DNA, scars, and tattoos...

BOSTON — The Electronic Frontier Foundation (EFF) and the ACLU today asked a federal court to rule without trial that the Department of Homeland Security violates the First and Fourth Amendments by searching travelers’ smartphones and laptops at airports and other U.S. ports of entry without a warrant.The request...

Update: the time for this hearing has changed. It now begins at 1:30pm. San Francisco – At 1:30 pm on Wednesday, May 1, the Electronic Frontier Foundation (EFF) and the Law Office of Michael T. Risher will argue against the government’s motion to dismiss a lawsuit challenging law enforcement retention...